Privacy Policy

Last updated: February 27, 2026

This Privacy Policy explains how [Company Name] ("Placed", "we", "us", "our") collects, uses, stores, and protects your personal data when you use the Placed platform ("Service"). We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable French data protection law.

1. Identity of the Controller

Data Controller: YREHstudio Lambersart, France

Contact Email:

hello@yreh.com

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Email address
  • Name (if provided)
  • Password (stored as a cryptographic hash, never in plaintext)
  • OAuth profile information (if you sign in via a third-party provider)

2.2 Room Photos and AI Analysis

When you use the Service, we process:

  • Room photos you upload for analysis
  • AI-generated analysis results (wall characteristics, room style, art recommendations, placement coordinates)
  • Your style preferences and selections

2.3 Generated Artwork

  • AI-generated artwork images created through the Service
  • Generation parameters (style, aspect ratio, prompts)

2.4 Order and Shipping Data

When you place an order, we collect:

  • Shipping address (name, street address, city, postal code, country)
  • Order details (product type, size, quantity, price)
  • Order status and tracking information

2.5 Payment Data

Payment information is processed directly by Stripe. We do not store your full credit card number, CVV, or other sensitive payment details on our servers. We receive only a transaction reference and payment status from Stripe.

2.6 Usage Data

We automatically collect:

  • IP address
  • Browser type and version (user agent)
  • Session identifiers
  • Pages visited and actions taken within the Service
  • Timestamps of activity

2.7 Cookies

We use the following cookies:

| Cookie | Purpose | Type | Duration | |--------|---------|------|----------| | Session cookie | Authentication and session management | Essential | Session | | Locale preference | Remembering your language preference | Essential | 1 year | | Analytics cookies | Understanding Service usage (with your consent) | Non-essential | Up to 1 year |

3. Legal Bases for Processing

Under Article 6 of the GDPR, we process your personal data on the following legal bases:

| Legal Basis | Data and Purpose | |-------------|-----------------| | Contract performance (Art. 6(1)(b)) | Account creation and management; processing room photos for AI analysis and art generation; order fulfillment and shipping; payment processing | | Legitimate interest (Art. 6(1)(f)) | Service security and fraud prevention; service improvement and debugging; internal analytics | | Consent (Art. 6(1)(a)) | Marketing emails and newsletters; non-essential analytics cookies | | Legal obligation (Art. 6(1)(c)) | Tax and accounting records; responding to lawful requests from authorities |

4. How We Use Your Data

We use your personal data to:

  • Provide the Service: analyze your room photos, generate artwork, display previews, and fulfill print orders.
  • Process payments and manage orders.
  • Communicate with you about your account, orders, and the Service.
  • Improve the Service and fix issues.
  • Comply with legal obligations.
  • Send marketing communications (only with your consent).

5. Third-Party Processors

We share your data with the following third-party service providers ("sub-processors") who process data on our behalf:

| Processor | Purpose | Data Shared | Location | |-----------|---------|-------------|----------| | Anthropic | AI room analysis (Claude) | Room photos (as image data for analysis) | United States | | Black Forest Labs | AI art generation (FLUX) | Text prompts (no personal data in prompts) | Germany | | Gelato | Print fulfillment and shipping | Artwork image URL, shipping address, order details | EU | | Stripe | Payment processing | Payment details, email, billing address | United States (EU data center) | | AWS (Amazon S3) | File storage (room photos, generated artwork) | Uploaded images, generated images | EU (eu-west-3, Paris) | | Postmark | Transactional email delivery | Email address, email content | United States |

Each sub-processor is bound by a Data Processing Agreement (DPA) and processes data only as instructed by us.

6. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA), primarily in the United States. For these transfers, we rely on:

  • EU-U.S. Data Privacy Framework (DPF): Where the processor is certified under the DPF.
  • Standard Contractual Clauses (SCCs): Where the DPF does not apply, we use EU-approved Standard Contractual Clauses to ensure adequate protection.

We regularly assess the data protection practices of our sub-processors to ensure your data is adequately protected.

7. Data Retention

We retain your data for the following periods:

| Data Category | Retention Period | Reason | |---------------|-----------------|--------| | Account data | Until you delete your account | Service provision | | Room photos and AI analysis | Until you delete the project or your account | Service provision | | Generated artwork | Until you delete the project or your account | Service provision | | Order and shipping data | 10 years from order date | French accounting and tax obligations (Code de commerce, Art. L123-22) | | Payment transaction records | 10 years from transaction date | French accounting obligations | | Session and usage data | 30 days | Security and debugging | | Marketing consent records | Until consent is withdrawn, plus 3 years | Proof of consent |

When data is no longer needed, it is securely deleted or anonymized.

8. Your Rights Under the GDPR

Under Articles 15 to 22 of the GDPR, you have the following rights:

  • Right of access (Art. 15): You can request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): You can ask us to correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): You can request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction (Art. 18): You can ask us to restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): You can object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decision-making (Art. 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

How to Exercise Your Rights

To exercise any of these rights, contact us at [privacy@placed.art]. We will respond within 30 days. We may ask you to verify your identity before processing your request.

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

Commission Nationale de l'Informatique et des Libertés (CNIL) 3 Place de Fontenoy, TSA 80715 75334 Paris Cedex 07, France Website: https://www.cnil.fr

You may also lodge a complaint with the supervisory authority in your country of residence.

9. Cookies

Essential Cookies

We use essential cookies that are strictly necessary for the Service to function. These include session authentication cookies and locale preference cookies. These do not require your consent.

Analytics Cookies

We may use analytics cookies to understand how the Service is used and to improve it. These cookies are only placed with your explicit consent, which you can provide or withdraw at any time through our cookie settings.

10. Children

The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without appropriate consent, we will take steps to delete that data promptly.

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest.
  • Secure password hashing (bcrypt/argon2).
  • Access controls limiting data access to authorized personnel.
  • Secure cloud infrastructure with regular security updates.
  • Regular review of security practices.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Notify you by email or through a prominent notice on the Service at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

  • Email: [privacy@placed.art]
  • Company: [Company Name]
  • Address: [Registered Address, Paris, France]

Supervisory Authority: Commission Nationale de l'Informatique et des Libertés (CNIL) 3 Place de Fontenoy, TSA 80715 75334 Paris Cedex 07, France https://www.cnil.fr